tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '20201024-v4-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/wtarreau/prandom

Pull random32 updates from Willy Tarreau:
"Make prandom_u32() less predictable.

This is the cleanup of the latest series of prandom_u32
experimentations consisting in using SipHash instead of Tausworthe to
produce the randoms used by the network stack.

The changes to the files were kept minimal, and the controversial
commit that used to take noise from the fast_pool (f227e3ec3b5c) was
reverted. Instead, a dedicated "net_rand_noise" per_cpu variable is
fed from various sources of activities (networking, scheduling) to
perturb the SipHash state using fast, non-trivially predictable data,
instead of keeping it fully deterministic. The goal is essentially to
make any occasional memory leakage or brute-force attempt useless.

The resulting code was verified to be very slightly faster on x86_64
than what is was with the controversial commit above, though this
remains barely above measurement noise. It was also tested on i386 and
arm, and build- tested only on arm64"

Link: https://lore.kernel.org/netdev/20200808152628.GA27941@SDF.ORG/

* tag '20201024-v4-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/wtarreau/prandom:
random32: add a selftest for the prandom32 code
random32: add noise from network and scheduling activity
random32: make prandom_u32() output unpredictable

Linus Torvalds 91f28da8 d7691390

+404 -190
-1
drivers/char/random.c
··· 1277 1277 1278 1278 fast_mix(fast_pool); 1279 1279 add_interrupt_bench(cycles); 1280 - this_cpu_add(net_rand_state.s1, fast_pool->pool[cycles & 3]); 1281 1280 1282 1281 if (unlikely(crng_init == 0)) { 1283 1282 if ((fast_pool->count >= 64) &&
+53 -2
include/linux/prandom.h
··· 16 16 void prandom_seed(u32 seed); 17 17 void prandom_reseed_late(void); 18 18 19 + DECLARE_PER_CPU(unsigned long, net_rand_noise); 20 + 21 + #define PRANDOM_ADD_NOISE(a, b, c, d) \ 22 + prandom_u32_add_noise((unsigned long)(a), (unsigned long)(b), \ 23 + (unsigned long)(c), (unsigned long)(d)) 24 + 25 + #if BITS_PER_LONG == 64 26 + /* 27 + * The core SipHash round function. Each line can be executed in 28 + * parallel given enough CPU resources. 29 + */ 30 + #define PRND_SIPROUND(v0, v1, v2, v3) ( \ 31 + v0 += v1, v1 = rol64(v1, 13), v2 += v3, v3 = rol64(v3, 16), \ 32 + v1 ^= v0, v0 = rol64(v0, 32), v3 ^= v2, \ 33 + v0 += v3, v3 = rol64(v3, 21), v2 += v1, v1 = rol64(v1, 17), \ 34 + v3 ^= v0, v1 ^= v2, v2 = rol64(v2, 32) \ 35 + ) 36 + 37 + #define PRND_K0 (0x736f6d6570736575 ^ 0x6c7967656e657261) 38 + #define PRND_K1 (0x646f72616e646f6d ^ 0x7465646279746573) 39 + 40 + #elif BITS_PER_LONG == 32 41 + /* 42 + * On 32-bit machines, we use HSipHash, a reduced-width version of SipHash. 43 + * This is weaker, but 32-bit machines are not used for high-traffic 44 + * applications, so there is less output for an attacker to analyze. 45 + */ 46 + #define PRND_SIPROUND(v0, v1, v2, v3) ( \ 47 + v0 += v1, v1 = rol32(v1, 5), v2 += v3, v3 = rol32(v3, 8), \ 48 + v1 ^= v0, v0 = rol32(v0, 16), v3 ^= v2, \ 49 + v0 += v3, v3 = rol32(v3, 7), v2 += v1, v1 = rol32(v1, 13), \ 50 + v3 ^= v0, v1 ^= v2, v2 = rol32(v2, 16) \ 51 + ) 52 + #define PRND_K0 0x6c796765 53 + #define PRND_K1 0x74656462 54 + 55 + #else 56 + #error Unsupported BITS_PER_LONG 57 + #endif 58 + 59 + static inline void prandom_u32_add_noise(unsigned long a, unsigned long b, 60 + unsigned long c, unsigned long d) 61 + { 62 + /* 63 + * This is not used cryptographically; it's just 64 + * a convenient 4-word hash function. (3 xor, 2 add, 2 rol) 65 + */ 66 + a ^= raw_cpu_read(net_rand_noise); 67 + PRND_SIPROUND(a, b, c, d); 68 + raw_cpu_write(net_rand_noise, d); 69 + } 70 + 19 71 struct rnd_state { 20 72 __u32 s1, s2, s3, s4; 21 73 }; 22 - 23 - DECLARE_PER_CPU(struct rnd_state, net_rand_state); 24 74 25 75 u32 prandom_u32_state(struct rnd_state *state); 26 76 void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes); ··· 117 67 state->s2 = __seed(i, 8U); 118 68 state->s3 = __seed(i, 16U); 119 69 state->s4 = __seed(i, 128U); 70 + PRANDOM_ADD_NOISE(state, i, 0, 0); 120 71 } 121 72 122 73 /* Pseudo random number generator from numerical recipes. */
+2 -7
kernel/time/timer.c
··· 1706 1706 { 1707 1707 struct task_struct *p = current; 1708 1708 1709 + PRANDOM_ADD_NOISE(jiffies, user_tick, p, 0); 1710 + 1709 1711 /* Note: this timer irq context must be accounted for as well. */ 1710 1712 account_process_tick(p, user_tick); 1711 1713 run_local_timers(); ··· 1719 1717 scheduler_tick(); 1720 1718 if (IS_ENABLED(CONFIG_POSIX_TIMERS)) 1721 1719 run_posix_cpu_timers(); 1722 - 1723 - /* The current CPU might make use of net randoms without receiving IRQs 1724 - * to renew them often enough. Let's update the net_rand_state from a 1725 - * non-constant value that's not affine to the number of calls to make 1726 - * sure it's updated when there's some activity (we don't care in idle). 1727 - */ 1728 - this_cpu_add(net_rand_state.s1, rol32(jiffies, 24) + user_tick); 1729 1720 } 1730 1721 1731 1722 /**
+345 -180
lib/random32.c
··· 38 38 #include <linux/jiffies.h> 39 39 #include <linux/random.h> 40 40 #include <linux/sched.h> 41 + #include <linux/bitops.h> 41 42 #include <asm/unaligned.h> 42 43 #include <trace/events/random.h> 43 - 44 - #ifdef CONFIG_RANDOM32_SELFTEST 45 - static void __init prandom_state_selftest(void); 46 - #else 47 - static inline void prandom_state_selftest(void) 48 - { 49 - } 50 - #endif 51 - 52 - DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy; 53 44 54 45 /** 55 46 * prandom_u32_state - seeded pseudo-random number generator. ··· 60 69 return (state->s1 ^ state->s2 ^ state->s3 ^ state->s4); 61 70 } 62 71 EXPORT_SYMBOL(prandom_u32_state); 63 - 64 - /** 65 - * prandom_u32 - pseudo random number generator 66 - * 67 - * A 32 bit pseudo-random number is generated using a fast 68 - * algorithm suitable for simulation. This algorithm is NOT 69 - * considered safe for cryptographic use. 70 - */ 71 - u32 prandom_u32(void) 72 - { 73 - struct rnd_state *state = &get_cpu_var(net_rand_state); 74 - u32 res; 75 - 76 - res = prandom_u32_state(state); 77 - trace_prandom_u32(res); 78 - put_cpu_var(net_rand_state); 79 - 80 - return res; 81 - } 82 - EXPORT_SYMBOL(prandom_u32); 83 72 84 73 /** 85 74 * prandom_bytes_state - get the requested number of pseudo-random bytes ··· 92 121 } 93 122 EXPORT_SYMBOL(prandom_bytes_state); 94 123 95 - /** 96 - * prandom_bytes - get the requested number of pseudo-random bytes 97 - * @buf: where to copy the pseudo-random bytes to 98 - * @bytes: the requested number of bytes 99 - */ 100 - void prandom_bytes(void *buf, size_t bytes) 101 - { 102 - struct rnd_state *state = &get_cpu_var(net_rand_state); 103 - 104 - prandom_bytes_state(state, buf, bytes); 105 - put_cpu_var(net_rand_state); 106 - } 107 - EXPORT_SYMBOL(prandom_bytes); 108 - 109 124 static void prandom_warmup(struct rnd_state *state) 110 125 { 111 126 /* Calling RNG ten times to satisfy recurrence condition */ ··· 105 148 prandom_u32_state(state); 106 149 prandom_u32_state(state); 107 150 prandom_u32_state(state); 108 - } 109 - 110 - static u32 __extract_hwseed(void) 111 - { 112 - unsigned int val = 0; 113 - 114 - (void)(arch_get_random_seed_int(&val) || 115 - arch_get_random_int(&val)); 116 - 117 - return val; 118 - } 119 - 120 - static void prandom_seed_early(struct rnd_state *state, u32 seed, 121 - bool mix_with_hwseed) 122 - { 123 - #define LCG(x) ((x) * 69069U) /* super-duper LCG */ 124 - #define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) 125 - state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); 126 - state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); 127 - state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); 128 - state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); 129 - } 130 - 131 - /** 132 - * prandom_seed - add entropy to pseudo random number generator 133 - * @entropy: entropy value 134 - * 135 - * Add some additional entropy to the prandom pool. 136 - */ 137 - void prandom_seed(u32 entropy) 138 - { 139 - int i; 140 - /* 141 - * No locking on the CPUs, but then somewhat random results are, well, 142 - * expected. 143 - */ 144 - for_each_possible_cpu(i) { 145 - struct rnd_state *state = &per_cpu(net_rand_state, i); 146 - 147 - state->s1 = __seed(state->s1 ^ entropy, 2U); 148 - prandom_warmup(state); 149 - } 150 - } 151 - EXPORT_SYMBOL(prandom_seed); 152 - 153 - /* 154 - * Generate some initially weak seeding values to allow 155 - * to start the prandom_u32() engine. 156 - */ 157 - static int __init prandom_init(void) 158 - { 159 - int i; 160 - 161 - prandom_state_selftest(); 162 - 163 - for_each_possible_cpu(i) { 164 - struct rnd_state *state = &per_cpu(net_rand_state, i); 165 - u32 weak_seed = (i + jiffies) ^ random_get_entropy(); 166 - 167 - prandom_seed_early(state, weak_seed, true); 168 - prandom_warmup(state); 169 - } 170 - 171 - return 0; 172 - } 173 - core_initcall(prandom_init); 174 - 175 - static void __prandom_timer(struct timer_list *unused); 176 - 177 - static DEFINE_TIMER(seed_timer, __prandom_timer); 178 - 179 - static void __prandom_timer(struct timer_list *unused) 180 - { 181 - u32 entropy; 182 - unsigned long expires; 183 - 184 - get_random_bytes(&entropy, sizeof(entropy)); 185 - prandom_seed(entropy); 186 - 187 - /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ 188 - expires = 40 + prandom_u32_max(40); 189 - seed_timer.expires = jiffies + msecs_to_jiffies(expires * MSEC_PER_SEC); 190 - 191 - add_timer(&seed_timer); 192 - } 193 - 194 - static void __init __prandom_start_seed_timer(void) 195 - { 196 - seed_timer.expires = jiffies + msecs_to_jiffies(40 * MSEC_PER_SEC); 197 - add_timer(&seed_timer); 198 151 } 199 152 200 153 void prandom_seed_full_state(struct rnd_state __percpu *pcpu_state) ··· 125 258 } 126 259 } 127 260 EXPORT_SYMBOL(prandom_seed_full_state); 128 - 129 - /* 130 - * Generate better values after random number generator 131 - * is fully initialized. 132 - */ 133 - static void __prandom_reseed(bool late) 134 - { 135 - unsigned long flags; 136 - static bool latch = false; 137 - static DEFINE_SPINLOCK(lock); 138 - 139 - /* Asking for random bytes might result in bytes getting 140 - * moved into the nonblocking pool and thus marking it 141 - * as initialized. In this case we would double back into 142 - * this function and attempt to do a late reseed. 143 - * Ignore the pointless attempt to reseed again if we're 144 - * already waiting for bytes when the nonblocking pool 145 - * got initialized. 146 - */ 147 - 148 - /* only allow initial seeding (late == false) once */ 149 - if (!spin_trylock_irqsave(&lock, flags)) 150 - return; 151 - 152 - if (latch && !late) 153 - goto out; 154 - 155 - latch = true; 156 - prandom_seed_full_state(&net_rand_state); 157 - out: 158 - spin_unlock_irqrestore(&lock, flags); 159 - } 160 - 161 - void prandom_reseed_late(void) 162 - { 163 - __prandom_reseed(true); 164 - } 165 - 166 - static int __init prandom_reseed(void) 167 - { 168 - __prandom_reseed(false); 169 - __prandom_start_seed_timer(); 170 - return 0; 171 - } 172 - late_initcall(prandom_reseed); 173 261 174 262 #ifdef CONFIG_RANDOM32_SELFTEST 175 263 static struct prandom_test1 { ··· 245 423 { 407983964U, 921U, 728767059U }, 246 424 }; 247 425 248 - static void __init prandom_state_selftest(void) 426 + static u32 __extract_hwseed(void) 427 + { 428 + unsigned int val = 0; 429 + 430 + (void)(arch_get_random_seed_int(&val) || 431 + arch_get_random_int(&val)); 432 + 433 + return val; 434 + } 435 + 436 + static void prandom_seed_early(struct rnd_state *state, u32 seed, 437 + bool mix_with_hwseed) 438 + { 439 + #define LCG(x) ((x) * 69069U) /* super-duper LCG */ 440 + #define HWSEED() (mix_with_hwseed ? __extract_hwseed() : 0) 441 + state->s1 = __seed(HWSEED() ^ LCG(seed), 2U); 442 + state->s2 = __seed(HWSEED() ^ LCG(state->s1), 8U); 443 + state->s3 = __seed(HWSEED() ^ LCG(state->s2), 16U); 444 + state->s4 = __seed(HWSEED() ^ LCG(state->s3), 128U); 445 + } 446 + 447 + static int __init prandom_state_selftest(void) 249 448 { 250 449 int i, j, errors = 0, runs = 0; 251 450 bool error = false; ··· 306 463 pr_warn("prandom: %d/%d self tests failed\n", errors, runs); 307 464 else 308 465 pr_info("prandom: %d self tests passed\n", runs); 466 + return 0; 309 467 } 468 + core_initcall(prandom_state_selftest); 310 469 #endif 470 + 471 + /* 472 + * The prandom_u32() implementation is now completely separate from the 473 + * prandom_state() functions, which are retained (for now) for compatibility. 474 + * 475 + * Because of (ab)use in the networking code for choosing random TCP/UDP port 476 + * numbers, which open DoS possibilities if guessable, we want something 477 + * stronger than a standard PRNG. But the performance requirements of 478 + * the network code do not allow robust crypto for this application. 479 + * 480 + * So this is a homebrew Junior Spaceman implementation, based on the 481 + * lowest-latency trustworthy crypto primitive available, SipHash. 482 + * (The authors of SipHash have not been consulted about this abuse of 483 + * their work.) 484 + * 485 + * Standard SipHash-2-4 uses 2n+4 rounds to hash n words of input to 486 + * one word of output. This abbreviated version uses 2 rounds per word 487 + * of output. 488 + */ 489 + 490 + struct siprand_state { 491 + unsigned long v0; 492 + unsigned long v1; 493 + unsigned long v2; 494 + unsigned long v3; 495 + }; 496 + 497 + static DEFINE_PER_CPU(struct siprand_state, net_rand_state) __latent_entropy; 498 + DEFINE_PER_CPU(unsigned long, net_rand_noise); 499 + EXPORT_PER_CPU_SYMBOL(net_rand_noise); 500 + 501 + /* 502 + * This is the core CPRNG function. As "pseudorandom", this is not used 503 + * for truly valuable things, just intended to be a PITA to guess. 504 + * For maximum speed, we do just two SipHash rounds per word. This is 505 + * the same rate as 4 rounds per 64 bits that SipHash normally uses, 506 + * so hopefully it's reasonably secure. 507 + * 508 + * There are two changes from the official SipHash finalization: 509 + * - We omit some constants XORed with v2 in the SipHash spec as irrelevant; 510 + * they are there only to make the output rounds distinct from the input 511 + * rounds, and this application has no input rounds. 512 + * - Rather than returning v0^v1^v2^v3, return v1+v3. 513 + * If you look at the SipHash round, the last operation on v3 is 514 + * "v3 ^= v0", so "v0 ^ v3" just undoes that, a waste of time. 515 + * Likewise "v1 ^= v2". (The rotate of v2 makes a difference, but 516 + * it still cancels out half of the bits in v2 for no benefit.) 517 + * Second, since the last combining operation was xor, continue the 518 + * pattern of alternating xor/add for a tiny bit of extra non-linearity. 519 + */ 520 + static inline u32 siprand_u32(struct siprand_state *s) 521 + { 522 + unsigned long v0 = s->v0, v1 = s->v1, v2 = s->v2, v3 = s->v3; 523 + unsigned long n = raw_cpu_read(net_rand_noise); 524 + 525 + v3 ^= n; 526 + PRND_SIPROUND(v0, v1, v2, v3); 527 + PRND_SIPROUND(v0, v1, v2, v3); 528 + v0 ^= n; 529 + s->v0 = v0; s->v1 = v1; s->v2 = v2; s->v3 = v3; 530 + return v1 + v3; 531 + } 532 + 533 + 534 + /** 535 + * prandom_u32 - pseudo random number generator 536 + * 537 + * A 32 bit pseudo-random number is generated using a fast 538 + * algorithm suitable for simulation. This algorithm is NOT 539 + * considered safe for cryptographic use. 540 + */ 541 + u32 prandom_u32(void) 542 + { 543 + struct siprand_state *state = get_cpu_ptr(&net_rand_state); 544 + u32 res = siprand_u32(state); 545 + 546 + trace_prandom_u32(res); 547 + put_cpu_ptr(&net_rand_state); 548 + return res; 549 + } 550 + EXPORT_SYMBOL(prandom_u32); 551 + 552 + /** 553 + * prandom_bytes - get the requested number of pseudo-random bytes 554 + * @buf: where to copy the pseudo-random bytes to 555 + * @bytes: the requested number of bytes 556 + */ 557 + void prandom_bytes(void *buf, size_t bytes) 558 + { 559 + struct siprand_state *state = get_cpu_ptr(&net_rand_state); 560 + u8 *ptr = buf; 561 + 562 + while (bytes >= sizeof(u32)) { 563 + put_unaligned(siprand_u32(state), (u32 *)ptr); 564 + ptr += sizeof(u32); 565 + bytes -= sizeof(u32); 566 + } 567 + 568 + if (bytes > 0) { 569 + u32 rem = siprand_u32(state); 570 + 571 + do { 572 + *ptr++ = (u8)rem; 573 + rem >>= BITS_PER_BYTE; 574 + } while (--bytes > 0); 575 + } 576 + put_cpu_ptr(&net_rand_state); 577 + } 578 + EXPORT_SYMBOL(prandom_bytes); 579 + 580 + /** 581 + * prandom_seed - add entropy to pseudo random number generator 582 + * @entropy: entropy value 583 + * 584 + * Add some additional seed material to the prandom pool. 585 + * The "entropy" is actually our IP address (the only caller is 586 + * the network code), not for unpredictability, but to ensure that 587 + * different machines are initialized differently. 588 + */ 589 + void prandom_seed(u32 entropy) 590 + { 591 + int i; 592 + 593 + add_device_randomness(&entropy, sizeof(entropy)); 594 + 595 + for_each_possible_cpu(i) { 596 + struct siprand_state *state = per_cpu_ptr(&net_rand_state, i); 597 + unsigned long v0 = state->v0, v1 = state->v1; 598 + unsigned long v2 = state->v2, v3 = state->v3; 599 + 600 + do { 601 + v3 ^= entropy; 602 + PRND_SIPROUND(v0, v1, v2, v3); 603 + PRND_SIPROUND(v0, v1, v2, v3); 604 + v0 ^= entropy; 605 + } while (unlikely(!v0 || !v1 || !v2 || !v3)); 606 + 607 + WRITE_ONCE(state->v0, v0); 608 + WRITE_ONCE(state->v1, v1); 609 + WRITE_ONCE(state->v2, v2); 610 + WRITE_ONCE(state->v3, v3); 611 + } 612 + } 613 + EXPORT_SYMBOL(prandom_seed); 614 + 615 + /* 616 + * Generate some initially weak seeding values to allow 617 + * the prandom_u32() engine to be started. 618 + */ 619 + static int __init prandom_init_early(void) 620 + { 621 + int i; 622 + unsigned long v0, v1, v2, v3; 623 + 624 + if (!arch_get_random_long(&v0)) 625 + v0 = jiffies; 626 + if (!arch_get_random_long(&v1)) 627 + v1 = random_get_entropy(); 628 + v2 = v0 ^ PRND_K0; 629 + v3 = v1 ^ PRND_K1; 630 + 631 + for_each_possible_cpu(i) { 632 + struct siprand_state *state; 633 + 634 + v3 ^= i; 635 + PRND_SIPROUND(v0, v1, v2, v3); 636 + PRND_SIPROUND(v0, v1, v2, v3); 637 + v0 ^= i; 638 + 639 + state = per_cpu_ptr(&net_rand_state, i); 640 + state->v0 = v0; state->v1 = v1; 641 + state->v2 = v2; state->v3 = v3; 642 + } 643 + 644 + return 0; 645 + } 646 + core_initcall(prandom_init_early); 647 + 648 + 649 + /* Stronger reseeding when available, and periodically thereafter. */ 650 + static void prandom_reseed(struct timer_list *unused); 651 + 652 + static DEFINE_TIMER(seed_timer, prandom_reseed); 653 + 654 + static void prandom_reseed(struct timer_list *unused) 655 + { 656 + unsigned long expires; 657 + int i; 658 + 659 + /* 660 + * Reinitialize each CPU's PRNG with 128 bits of key. 661 + * No locking on the CPUs, but then somewhat random results are, 662 + * well, expected. 663 + */ 664 + for_each_possible_cpu(i) { 665 + struct siprand_state *state; 666 + unsigned long v0 = get_random_long(), v2 = v0 ^ PRND_K0; 667 + unsigned long v1 = get_random_long(), v3 = v1 ^ PRND_K1; 668 + #if BITS_PER_LONG == 32 669 + int j; 670 + 671 + /* 672 + * On 32-bit machines, hash in two extra words to 673 + * approximate 128-bit key length. Not that the hash 674 + * has that much security, but this prevents a trivial 675 + * 64-bit brute force. 676 + */ 677 + for (j = 0; j < 2; j++) { 678 + unsigned long m = get_random_long(); 679 + 680 + v3 ^= m; 681 + PRND_SIPROUND(v0, v1, v2, v3); 682 + PRND_SIPROUND(v0, v1, v2, v3); 683 + v0 ^= m; 684 + } 685 + #endif 686 + /* 687 + * Probably impossible in practice, but there is a 688 + * theoretical risk that a race between this reseeding 689 + * and the target CPU writing its state back could 690 + * create the all-zero SipHash fixed point. 691 + * 692 + * To ensure that never happens, ensure the state 693 + * we write contains no zero words. 694 + */ 695 + state = per_cpu_ptr(&net_rand_state, i); 696 + WRITE_ONCE(state->v0, v0 ? v0 : -1ul); 697 + WRITE_ONCE(state->v1, v1 ? v1 : -1ul); 698 + WRITE_ONCE(state->v2, v2 ? v2 : -1ul); 699 + WRITE_ONCE(state->v3, v3 ? v3 : -1ul); 700 + } 701 + 702 + /* reseed every ~60 seconds, in [40 .. 80) interval with slack */ 703 + expires = round_jiffies(jiffies + 40 * HZ + prandom_u32_max(40 * HZ)); 704 + mod_timer(&seed_timer, expires); 705 + } 706 + 707 + /* 708 + * The random ready callback can be called from almost any interrupt. 709 + * To avoid worrying about whether it's safe to delay that interrupt 710 + * long enough to seed all CPUs, just schedule an immediate timer event. 711 + */ 712 + static void prandom_timer_start(struct random_ready_callback *unused) 713 + { 714 + mod_timer(&seed_timer, jiffies); 715 + } 716 + 717 + #ifdef CONFIG_RANDOM32_SELFTEST 718 + /* Principle: True 32-bit random numbers will all have 16 differing bits on 719 + * average. For each 32-bit number, there are 601M numbers differing by 16 720 + * bits, and 89% of the numbers differ by at least 12 bits. Note that more 721 + * than 16 differing bits also implies a correlation with inverted bits. Thus 722 + * we take 1024 random numbers and compare each of them to the other ones, 723 + * counting the deviation of correlated bits to 16. Constants report 32, 724 + * counters 32-log2(TEST_SIZE), and pure randoms, around 6 or lower. With the 725 + * u32 total, TEST_SIZE may be as large as 4096 samples. 726 + */ 727 + #define TEST_SIZE 1024 728 + static int __init prandom32_state_selftest(void) 729 + { 730 + unsigned int x, y, bits, samples; 731 + u32 xor, flip; 732 + u32 total; 733 + u32 *data; 734 + 735 + data = kmalloc(sizeof(*data) * TEST_SIZE, GFP_KERNEL); 736 + if (!data) 737 + return 0; 738 + 739 + for (samples = 0; samples < TEST_SIZE; samples++) 740 + data[samples] = prandom_u32(); 741 + 742 + flip = total = 0; 743 + for (x = 0; x < samples; x++) { 744 + for (y = 0; y < samples; y++) { 745 + if (x == y) 746 + continue; 747 + xor = data[x] ^ data[y]; 748 + flip |= xor; 749 + bits = hweight32(xor); 750 + total += (bits - 16) * (bits - 16); 751 + } 752 + } 753 + 754 + /* We'll return the average deviation as 2*sqrt(corr/samples), which 755 + * is also sqrt(4*corr/samples) which provides a better resolution. 756 + */ 757 + bits = int_sqrt(total / (samples * (samples - 1)) * 4); 758 + if (bits > 6) 759 + pr_warn("prandom32: self test failed (at least %u bits" 760 + " correlated, fixed_mask=%#x fixed_value=%#x\n", 761 + bits, ~flip, data[0] & ~flip); 762 + else 763 + pr_info("prandom32: self test passed (less than %u bits" 764 + " correlated)\n", 765 + bits+1); 766 + kfree(data); 767 + return 0; 768 + } 769 + core_initcall(prandom32_state_selftest); 770 + #endif /* CONFIG_RANDOM32_SELFTEST */ 771 + 772 + /* 773 + * Start periodic full reseeding as soon as strong 774 + * random numbers are available. 775 + */ 776 + static int __init prandom_init_late(void) 777 + { 778 + static struct random_ready_callback random_ready = { 779 + .func = prandom_timer_start 780 + }; 781 + int ret = add_random_ready_callback(&random_ready); 782 + 783 + if (ret == -EALREADY) { 784 + prandom_timer_start(&random_ready); 785 + ret = 0; 786 + } 787 + return ret; 788 + } 789 + late_initcall(prandom_init_late);
+4
net/core/dev.c
··· 145 145 #include <linux/indirect_call_wrapper.h> 146 146 #include <net/devlink.h> 147 147 #include <linux/pm_runtime.h> 148 + #include <linux/prandom.h> 148 149 149 150 #include "net-sysfs.h" 150 151 ··· 3559 3558 dev_queue_xmit_nit(skb, dev); 3560 3559 3561 3560 len = skb->len; 3561 + PRANDOM_ADD_NOISE(skb, dev, txq, len + jiffies); 3562 3562 trace_net_dev_start_xmit(skb, dev); 3563 3563 rc = netdev_start_xmit(skb, dev, txq, more); 3564 3564 trace_net_dev_xmit(skb, rc, dev, len); ··· 4132 4130 if (!skb) 4133 4131 goto out; 4134 4132 4133 + PRANDOM_ADD_NOISE(skb, dev, txq, jiffies); 4135 4134 HARD_TX_LOCK(dev, txq, cpu); 4136 4135 4137 4136 if (!netif_xmit_stopped(txq)) { ··· 4198 4195 4199 4196 skb_set_queue_mapping(skb, queue_id); 4200 4197 txq = skb_get_tx_queue(dev, skb); 4198 + PRANDOM_ADD_NOISE(skb, dev, txq, jiffies); 4201 4199 4202 4200 local_bh_disable(); 4203 4201